x0rz @x0rz@mastodon.social

Tweets are automatically forwarded from https://twitter.com/x0rz

The NCSC and the NSA just confirmed that Turla 🇷🇺 compromised the APT34 operational infrastructure deeply enough to own all or most of their C2 (aka Oilrig 🇮🇷) https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims #cyber #opsec #attribution https://t.co/zCX3xHBaK8

Great example of terrible threat modeling https://twitter.com/hkashfi/status/1184131357976465415

"Director of Cybercrime"

Does this mean you're the gang leader in cybercrime? 🤔 https://t.co/TSnntkW9Vc

Midnight threat intel idea: buy servers at provider X known to host APT Y C2 infrastructure. Do data carving to find tools, keys and other goodies from APT Y. 🤔🤫

I think EDR should be more of a thing for mobile devices. It’s mostly unexploited territory.

Turla showing us some cool tricks here: marking a host’s encrypted outgoing TLS to uniquely identify victims via SIGINT, and this without touching the network, but by patching the browser’s crypto code https://securelist.com/compfun-successor-reductor/93633/

Ah nevermind, it was already kind of burned. But AFAIK it’s the first time I publicly see someone attributing the Lamberts to the CIA (which tbh, shouldn’t come as a surprise to many)

https://t.co/2F4J4lbtje

Someone making sure he's the only one capable to exploit the vBulletin vulnerability by patching the code and adding a password to the condition, smart move https://www.bleepingcomputer.com/news/security/botnet-uses-recent-vbulletin-exploit-to-block-other-hackers/ (misleading title if you ask me)

What a time to be alive
https://www.cyberscoop.com/donald-trump-crowdstrike-ukraine-phone-call/ https://t.co/V50WiAQiLB

It means we’re actually increasing the cost of an attack: they are now being constrained with opsec procedures (specific toolsets, unique TTPs, etc.), when they want it to be "clean" at least.

The French CERT (@ANSSI_FR) is releasing DFIR ORC, a modular and scalable tool to collect artefacts on Windows systems https://dfir-orc.github.io/

Should I buy Snowden’s book?

Threat actors obtaining code signing certificate issued to a legitimate company by impersonating its executive https://blog.reversinglabs.com/blog/digital-certificates-impersonated-executives-as-certificate-identity-fronts #threatintel https://t.co/EZ4MDtc83F

Interesting, some people have been targeting whistleblowers at the early stage w/ fake SecureDrop onion websites https://www.bleepingcomputer.com/news/security/phishing-attack-targets-the-guardians-whistleblowing-site/

A vendor should be agnostic about this kind of crap. I just think it’s a very poorly worded statement. That’s all. Don’t overanalyze this.

To be honest, I don’t think the fact a particular vuln has been used to target this or that is relevent here. Don’t blame Apple for that, blame the threat actor abusing the bug.

The chinese hedgehog strategy: it’s the bitter bit (tel est pris qui croyait prendre en Français)

Apple probably have the internal tools to do some great threat hunting at scale w/o invading users privacy. I truly hope they do... or let’s hope they seize this "opportunity" now

And I agree that the homogenous ecosystem makes it easy for a "1 vuln to rule them all" exploit, but it also makes it easier for Apple to remediate ongoing campaigns targeting their devices.